Is SSL and Compression never secure in nginx?

Robert Krüger krueger at
Mon Jul 27 15:24:21 UTC 2015


I am working in a project where a password-protected extranet application
is behind an nginx proxy using ssl.

Now I asked the admin to enable server-side http-compression because we
tend to have rather lengthy json responses from our REST api and they
compress very well and the performance gain would be significant. He
decline doing that, explaining that because of the CRIME vulnerability, it
is not a good idea to enable compression when using ssl with nginx. Is this
really always the case? Are there scenarios where the vulnerability is not
a problem? I am trying to understand this better to make an informed
decision because not using compression (encryption is a must) would incur
other costs (optimizations in the code) and I don't just want to waste that
time and money unless I have to.

Thanks in advance,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list